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GOST R 34.12-2015: Block Cipher ''Kuznvechik' 
Abstract 


This document is intended to be a source of information about the 
Russian Federal standard GOST R 34.12-2015 describing the block 
cipher with a block length of n-128 bits and a kev length of k-256 
bits, which is also referred to as ''Kuznvechik'. This algorithm is 
one of the set of Russian crvptographic standard algorithms (called 
GOST algorithms). 
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This document is not an Internet Standards Track specification; it is 
published for informational purposes. 


This is a contribution to the RFC Series, independently of any other 
RFC stream. The RFC Editor has chosen to publish this document at 
its discretion and makes no statement about its value for 
implementation or deployment. Documents approved for publication by 
the RFC Editor are not a candidate for any level of Internet 
Standard; see Section 2 of RFC 5741. 


Information about the current status of this document, any errata, 
and how to provide feedback on it may be obtained at 
http: //www.rfc-editor.org/info/rfc7801. 
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1. Scope 


The Russian Federal standard [GOST3412-2015] specifies basic block 
ciphers used as cryptographic techniques for information processing 
and information protection including the provision of 
confidentiality, authenticity, and integrity of information during 
information transmission, processing, and storage in computer-aided 
systems. 


The cryptographic algorithms specified in this standard are designed 
both for hardware and software implementation. They comply with 
modern cryptographic requirements and put no restrictions on the 
confidentiality level of the protected information. 


The standard applies to development, operation, and modernization of 
the information systems of various purposes. 
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2. General Information 


The block cipher "Kuznyechik" [GOST3412-2015] was developed by the 
Center for Information Protection and Special Communications of the 
Federal Security Service of the Russian Federation with participation 
of the Open Joint-Stock company "Information Technologies and 
Communication Systems" (InfoTeCS JSC). GOST R 34.12-2015 was 
approved and introduced by Decree 4749 of the Federal Agency on 
Technical Regulating and Metrology on June 19, 2015. 


Terms and concepts in the standard comply with the following 
international standards: 


o (ISO/IEC 10116 [ISO-IEC10116] and 


o series of standards ISO/IEC 18033 [ISO-IEC18033-1] 
[ISO-IEC18033-3]. 


3. Definitions and Notations 


The following terms and their corresponding definitions are used in 
the standard. 


3.1. Definitions 
Definitions 


encryption algorithm: process that transforms plaintext into 
ciphertext (Section 2.19 of [ISO-IEC18033-1]), 


decryption algorithm: process that transforms ciphertext into 
plaintext (Section 2.14 of [ISO-IEC18033-1]), 


basic block cipher: block cipher that for a given key provides a 
single invertible mapping of the set of fixed-length plaintext 
blocks into ciphertext blocks of the same length, 


block: string of bits of a defined length (Section 2.6 of 
[ISO-IEC18033-1]), 


block cipher: symmetric encipherment system with the property that 
the encryption algorithm operates on a block of plaintext, i.e., a 
string of bits of a defined length, to yield a block of ciphertext 
(Section 2.7 of [ISO-IEC18033-1]), 


Note: In GOST R 34.12-2015, it is established that the terms 
"block cipher" and "block encryption algorithm" are synonyms. 
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encryption: reversible transformation of data by a cryptographic 
algorithm to produce ciphertext, i.e., to hide the information 
content of the data (Section 2.18 of [ISO-IEC18033-1]), 


round key: sequence of symbols that is calculated from the key and 
controls a transformation for one round of a block cipher, 


key: 


sequence of symbols that controls the operation of a 


cryptographic transformation (e.g., encipherment and decipherment) 
(Section 2.21 of [ISO-IEC18033-1]), 


Note: In GOST R 34.12-2015, the key must be a binary sequence. 


plaintext: unencrypted information (Section 3.11 of 
[ISO-IEC10116]), 


key schedule: calculation of round keys from the key, 


decryption: reversal of a corresponding encipherment (Section 2.13 
of [ISO-IEC18033-1]), 


symmetric cryptographic technique: cryptographic technique that 
uses the same secret key for both the originator’s and the 
recipient’s transformation (Section 2.32 of [ISO-IEC18033-1]), 


cipher: alternative term for encipherment system (Section 2.20 of 
[ISO-IEC18033-1]), and 


ciphertext: data that has been transformed to hide its information 
content (Section 3.3 of [ISO-IEC10116]). 


3.2. Notations 


The following notations are used in the standard: 


Ve 


Dolmatov 


the set of all binary vector strings of a finite length 
(hereinafter referred to as the strings) including the empty 
string, 


the set of all binary strings of length s, where s is a non- 
negative integer; substrings and string components are 
enumerated from right to left starting from zero, 


direct (Cartesian) product of two sets, U and W, 


the number of components (the length) of a string A belonging 
to V* (if A is an empty string, then EN = 0), 
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A||B 


Z (2'n) 


(xor) 


Vec_s: 


Int_s: 


delta: 


nabla: 


PS 


PAS 
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concatenation of strings A and B both belonging to V*, i.e., 


a string from V_(|A|+|B|), where the left substring from 
v_|A| is equal to A, and the right substring from V_|B| is 
equal to B, 


ring of residues modulo 2'n, 


finite field GF (2) [x]/p(x), where p(x)=x"8+x"7+x"6+x+1 
belongs to GF (2) [x]; elements of field Q are represented by 
integers in such way that element 
z_0+z_1*theta+...+z_7*theta”7 belonging to Q corresponds to 
integer zZ_0+2*z_1+...+2%7*z_7, where z_i=0 or z i-1, 
i-0,1,...,7 and theta denotes a residue class modulo p(x) 
containing x, 


exclusive-or of the two binary strings of the same length, 


Z (28) -> V_s bijective mapping that maps an element from 


ring Z (2's) into its binary representation, i.e., for an 
element z of the ring Z_(2%s), represented by the residue 


+ (292 1) + ... + (2%? (s-1)*z_(s-1)), where z_i in (0, 1), 
0, ..., n-1, the equality Vec_s(z) = z_(s-1)||...||z_1]|z_ 
holds, 

V_s -> Z_(2%s) the mapping inverse to the mapping Vec_s, 


i.e., Int_s = Vec s'(-1), 


V_8 -> Q bijective mapping that maps a binary string from V 8 


into an element from field Q as follows: string 
lata ee | eee Og where z_i in {0, LT}, 1 = 0; cc. Ty 


corresponds to the element z_0+(z_1*theta)+...+(z_7*theta%7) 


belonging to Z, 


-> V8 the mapping inverse to the mapping delta, i.e., delta 


— nabla'(-1), 


composition of mappings, where the mapping S applies first, 
and 


composition of mappings P'(s-1) and P, where P'l-P. 
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4. Parameter Values 
4.1. Nonlinear Bijection 


The bijective nonlinear mapping is a substitution: Pi = 

(Vec 8)Pi' (Int 8): V_8 -> V_8, where Pi’: Z_(2%8) -> 3 Z (208). The 
values of the substitution Pi’ are specified below as an array Pi’ = 
(PI OY, Pal (1h) yo sig. (PE (255) )4 


Pi’ = 

( 252, 238, 221, 17, 207, 110, 49, 22, 251, 196, 250, 
218, 35, 197, 4, 77, 233, 119, 240, 219, 147, 46, 
153, 186, 23, 54, 241, 187, 20, 205, 95, 193, 249, 
24, 101, 90, 226, 92, 239, 33, 129, 28, 60, 66, 
139, 1 142; 19; 5, 132, 2, 174, 227, 106, 143, 
160, 6, HL, 237%, 152, 127; 212, 211; 31, 235, 52, 
44, 81, 234, 200, 72, 171, 242, 42, 104, 162, 253, 
58, 206, 204, 181, 112, 14, 86, 8, 12, 118, 18, 
191, 114, 19, 71, 156, 183, 93, 135, 21, 161, 150, 
41, 16, 123, 154, 199, 243, 145, 120, 111, 157, 158, 
178, 177, 50, 117, 25, 6l, 255, 53, 138, 126, 109, 
84, 198, 128, 195, 189, 13, 87, 223, 245, 36, 169, 
62, 168, 67, 201, 215, 121, 214, 246, 124, 34, 185, 
3, 224, 15, 236, 222, 122, 148, 176, 188, 220, 232, 
40, 80, 78, 51, 10, 74, 167, 151, 96, 115, 30, 
O, 98, 68, 26, 184, 56, 130, 100, 159, 38, 65, 
173, 69, 70, 146, 39, 94, 85, 47, 140, 163, 165, 
125, 105, 213, 149, 59, 7, 88, 179, 64, 134, 172, 
29, 247, 48, 55, 107, 228, 136, 217, 231, 137, 225, 
27, 131, 73, 76, 63, 248, 254, 141, 83, 170, 144, 
202, 216, 133, 97, 32, 113, 103, 164, 45, 43, 9, 
91, 203, 155, 37, 208, 190, 229, 108, 82, 89, 166, 
116, 210, 230, 244, 180, 192, 209, 102, 175, 194, 57, 

75, 99, 182). 
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Pi'(-1) is the inverse of Pi; the values of the substitution Pi'(-1)' 
are specified below as an array Pi'(-1)' = (Pi” (-1)' (0), Pi” (-1)' (1), 
, Pi? (-1)' (255)): 


( 165, 45, 50, 143, 14, 48, 56, 192, 84, 230, 158, 
57, 85, 126, 82, 145, 100, 3, 87, 90, 28, 96, 
7, 24, 33, 114, 168, 209, 41, 198, 164, 63, 224, 
39, 141, 12, 130, 234, 174, 180, 154, 99, 73, 229, 
66, 228, 21, 183, 200, 6, 112, 157, 65, 117, 25, 
201, 170, 252, 77, 191, 42, 115, 132, 213, 195, 175, 
43, 134, 167, 177, 178, 91, 70, 211, 159, 253, 212, 
15, 156, 47, 155, 67, 239, 217, 121, 182, 83, 127, 
193, 240, 35, 231, 37, 94, 181, 30, 162, 223, 166, 
254, 172, 34, 249, 226, 74, 188, 53, 202, 238, 120, 
5, 107, 81, 225, 89, 163, 242, 113, 86, 17, 106, 
137, 148, 101, 140, 187, 119, 60, 123, 40, 171, 210, 
49, 222, 196, 95, 204, 207, 118, 44, 184, 216, 46, 
54, 219, 105, 179, 20, 149, 190, 98, 161, 59, 22, 
102, 233, 92, 108, 109, 173, 55, 97, 75, 185, 227, 
186, 241, 160, 133, 131, 218, 71, 197, 176, 51, 250, 
150, 111, 110, 194, 246, 80, 255, 93, 169, 142, 23, 
27, 151, 125, 236, 88, 247, 31, 251, 124, 9, 13, 
122, 103, 69, 135, 220, 232, 79, 29, 78, 4, 235, 
248, 243, 62, 6l, 189, 138, 136, 221, 205, 11, 19, 
152, Bp 147, 128, 144, 208, 36, 52, 203, 237, 244, 
206, 153, 16, 68, 64, 146, 58, ip 38, T5, De; 
72, 104, 245, 129, 139, 199, 214, 32, 10, 8, 0, 
76, 215, 116). 


4.2. Linear Transformation 


The linear transformation is denoted by 1: (V_8)?16 -> V_8, and 
defined as: 


l(a_15,...,a_0) = nabla(l48'delta(a 15) + 32*delta(a_15) + 
133*delta(a_13) + 16*delta(a_12) + 194'delta(a 11) + 
192*delta(a_10) + 1*delta(a_9) + 251*delta(a_8) + 1*delta(a_7) + 
192*delta(a_6) + 194*delta(a_5) + 16*delta(a_4) + 133*delta(a_3) + 
32*delta(a_2) + 148*delta(a_1) +1*delta(a_0)), 

for all a i belonging to V_8, i= 0, 1, ..., 15, where the addition 


and multiplication operations are in the field Q, and constants are 
elements of the field as defined above. 
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4.3. Transformations 


The following transformations are applicable for encryption and 
decryption algorithms: 


X[x]:V_128->V_128 X[k] (a)=k(xor)a, where k, a belong to V_128, 


S:V_128-> V 128 S(a)=(a_15||...||a_0)=pi(a_15)||...||pi(a_0), where 
BTS) | eae E belongs to V_128, a_i belongs to V_8, i=0,1,...,15, 


S*(-1) :V_128-> V_128 the inverse transformation of S, which may be 
calculated, for example, as follows: 


S*(-1) (a_15||...]|a_0)=pir(-1) (a_15)||...||]pi*(-1) (a_0), where 
aia.) lao belongs to V 128, a i belongs to V 8, i-0,1,...,15, 

R:V_128-> 1128 R(a_15|ļ|...ļ]||a_0)=1(a_15,...,a_0)|ļ|a_15||...|ļa_1, 
where asf l-el ao belongs to V_128, a_i belongs to V_8, 


i-O brix Dy 
L:V_128-> V 128 L(a)=R"” (16) (a), where a belongs to V 128, 


R” (-1):V_128-> V_128 the inverse transformation of R, which may be 
calculated, for example, as follows: R*(-1) (a_15||...||a_0)=a_14] | 
aa. eo |i ca-i4 a T3; isra 0 a 15) where AAS) A E 
belongs to V 128, a i belongs to V 8, i-0,1,...,15, 


L” (-1) :V_128-> V. 128 L'(-1)(a)-(R'(-1))(16)(a), where a belongs to 
V 128, and 


F[k]:V_128[*]V_128 -> V_128[*]V_128 


F[k] (a_1,a_0)=(LSX[k] (a_1) (xor)a_0,a_1), where k, a 0, a 1 belong 
to V_128. 
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4.4. Key Schedule 


Key schedule uses round constants C_i belonging to V_128, i=1, 2, 
., 32, defined as 


C_i=L(Vec_128(1)), i-1,2,...,32. 
Round keys K_i, i=l, 2, ..., 10 are derived from key 


K=k_255||...||k_0 belonging to V_256, k i belongs to V 1, i=0, 1, 
-, 255, as follows: 


K_1=k_255]||...]|k_128; 

K_2=k_127||...||k_0; 
(K_(2i+1),K_(2i+2))=F[C_(8(i-1)+8)]... 
F[C_(8(i-1)+1)](K_(2i-1),K_(2i)), i=1,2,3,4. 


4.5. Basic Encryption Algorithm 
4.5.1. Encryption 


Depending on the values of round keys K_1,...,K_10, the encryption 
algorithm is a substitution E_(K_1,...,K_10) defined as follows: 


E_(K_1,...,K_10) (a)=X[K_10]LSX[K_9]...LSX[K_2]LSX[K_1] (a), 
where a belongs to V_128. 
4.5.2. Decryption 


Depending on the values of round keys K_1,...,K_10, the decryption 
algorithm is a substitution D_(K_1,...,K_10) defined as follows: 


D_(K_1,...,K_10) (a) =X[K_1]L% (-1) S* (-1)X[K_2]... 


L” (=1) S* (-1) X [K_9] L* (-1) S* (-1)X[K_10] (a), 


where a belongs to V_128. 
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Examples (Informative) 


Transformation S 


S (ffeeddcchbaa99881122334455667700) 


b66cd8887d38e8d77765aeea0c%alefc, 
(b66cd8887d38e8d77765aeea0c9aTefc) 
559d8dd7bd0 6cbhfe7e7b262523280d39, 
(559d8dd7bd0 6cbhfe7e7b262523280d39) 
0c3322fed531e4630d80ef5c5ba81c50b, 
(0c3322fed531e4630d80ef5c5a81c50b) 
23ae65633£842429c54£529c13f5acda. 


Transformation R 


R(00000000000000000000000000000100) 


94000000000000000000000000000001, 


R(94000000000000000000000000000001) 


a5940000000000000000000000000000, 


R(a5940000000000000000000000000000) 


64a59400000000000000000000000000, 


R(64a59400000000000000000000000000) 


0d64a594000000000000000000000000. 
Transformation L 


(64a59400000000000000000000000000) 
da456584dd0e3e84cc3166e4b7fa2890d, 
(d456584dd0e3e84cc3166e4b7£a2890d) 
79426221b87b584cd42fbc4ffea5deda, 
(79426221b87b584cd42fbc4ffea5deda) 
0e93691a0cfc60408b7b68f66b513c13, 
(0e93691a0cfc60408b7b68f66b513c13) 
e6a8094fee0aa204fd97bcbOb44b8580. 
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This section is for information only and is not a normative part of 
the standard. 
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5.4. Key Schedule 
In this test example, the key is equal to: 


K = 889Jaabbccddeef£0011223344556677fedcba9876543210012345678 
Jabcdef. 


= 8899aabbccddeeff0011223344556677, 


K 1 
K 2 fedcba98765432100123456789abcdef. 


C 1 = 6ea276726c487ab85d27bd10dd849401, 


XIC 11(K 1) = e63bdcc9a09594475d369f2399d1f276, 

SXIC 11(K 1) = 0998ca37a7947aabb78f4a5ae81b748a, 

LSXIC 11(K 1) = 3d0940999db75d6a9257071d5e6144a6, 

FIC 11(K 1, K 2) = = (c3d5fa0lebe36f7a9374427ad7ca8949, 


8899aabbccddeeff0011223344556677) . 


C 2 = dc87ece4d890f4b3ba4eb92079cbeb02, 
F [C_2]F [C_1] (K_1, K 2) = (37777748e56453377d5e262d90903f87, 
c3d5fa0lebe36£7a9374427ad7ca8949) . 


C_3 = b2259a96b4d88e0be7690430a44f7f03, 
F[C_3]...F[C_1] (K_1, K_2) = (f£9eae5£29b2815e31fllac5d9c29fb01, 
37777748e56453377d5e262d90903f87) . 


C_4 = 7bcd1b0b73e32ba5b79cb140f2551504, 
F[C_4]...F[C_1] (K_1, K 2) = (e980089683d00d4be37dd3434699b98f, 
f%eae5f29%b2815e31f1l1lac5d9c29fb01). 


C_5 = 156f£6d791fabslldeabbO0c502f£d18105, 
F[C_5]...F[C_1] (K_1, K_2) = (b7bd70acea4460714f4ebe13835c£004, 
€980089683d00d4be37dd3434699b98Ff) . 


C_6 = a7/4af/7/efab73d£160dd208608b9efe06, 
F[C_6]...F[C_1] (K_1, K 2) = (la46ealcf6ccd236467287df93fdf974, 
b7bd70acea4460714f4ebe13835c£004). 


C_7 = c9e8819dc73ba5ae50£5b570561a6a07, 
F[C_7]...F [C_1] (K_1, K_2) = (3d4553d8e9cfec6815ebadc40a9ffd04, 
la46ealcf6ccd236467287d£93fdf974). 


8 = £6593616e6055689adfbal8027aa2a08, 

3, KA) = F [C_8]...F [C_1](K_1, K_2) = 
(db31485315694343228d6aef8cc78c44, 
3d4553d8e9%cfec6815ebadc40a9ffd04). 


E 
(K 
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1, 2, ..., 10, take the following values: 


= 8899aabbccddeeff0011223344556677, 
= fedcba98765432100123456789abcdef, 
= db31485315694343228d6aef8cc78c44, 
= 3d4553d8e9cfec6815ebadc40a9ffd04, 
= 57646468c44a5e2843e59246£429flac, 
bd079435165c6432b532e82834da581b, 
= 51e640757e8745de705727265a0098b1, 
= 5a7925017b9fdd3ed72a91a22286f984, 
= bb44e25378c73123a5f32f73cdb6e517, 
710 = 72e9dd7416bcf45b755dbaa88e4a4043. 


specified in Section 5.4. Let the plaintext be 


a = 1122334455667700ffeeddccbbaa9988, 


then 


X[K_1] (a) = 
SX[K_1] (a) 

LSXIK 11(a) 
LSX[K_2]LSX 
LSX[K_3].. 
LSX[K_4].. 
LSX[K_5].. 
LSXIK 61.. 
LSXIK 71.. 
LSXIK 81.. 
LSXIK 91.. 


Then the ci 


99bb99FEIIDHIIELFLLLLLLLLLLLLLLLL, 


= e8/de8b6e87de8b6b6b6b6b6b6b6b6b6, 
= e297b686e355b0alcf4a2£9249140830, 


[K_1] (a) = 


-LSX[K_1] (a) 
.LSXIK 11(a) 
.LSXIK 11(a) 
.LSXIK 11(a) 
.LSXIK 11(a) 
.LSXIK 11(a) 
.LSXIK 11(a) 


phertext is 


285e497a08624596b36£f4258a1c69072, 


0187a3a429b567841ad50d29207cc34e, 
ec9bdba057d4£4d77c5d70619dcad206, 
1357fd11de9257290c2a1473eb6bcdel, 
28ae31e7d4c2354261027ef0b32897df, 
07e223d56002c013d3f5e6f714b86d2d, 
cd8ef 6cd97e0e092aBedcca61b38bf£65, 
0d8e40e4a800d06b2f1b37ea379%ead8e. 


encryption is performed on the round keys 


b = X[K_10]LSX[K_9]...LSX[K_1] (a) = 7£679d90bebc24305a468d42b9d4edcd. 
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5.6. Test Decrvption 


In this test example, decrvption is performed on the round kevs 
specified in Section 5.4. Let the ciphertext be 


b = 7£679d90bebc24305a468d42b9d4edcd, 
then 


XIK 101(b) = 0d8e40e4a800d06b2f1b37ea379ead8e, 

L” (-1) X[K_10] (b) = 8a6b930a52211b45c5baa43ff8b91319, 
S* (-1)1” (-1) X[K_10] (b) = 76ca149eef27d1b10d17e3d5d68e5a72, 
S* (-1)L” (-1) X[K_9] S%*% (-1) L* (-1) X[K_10] (b) = 
5d9b06d41b9d1d2d04d£7755363e94a9, 

Ss” (-1)L” (-1) X[K_8]...S%*(-1) L*% (-1) X[K_10] (b) = 
79487192aa45709c115559d6e9280f6e, 

S* (-1)L” (-1) X[K_7]...S%*(-1) L* (-1)X[K_10] (b) = 
ae506924c8ce331bb918fc5bdfbl95fa, 

S* (-1)L” (-1)X[K_6]...5* (-1)L” (-1)X[K_10] (b) = 
bbffbfc8939eaaffafb8e22769e323aa, 

S* (-1)L” (-1) X[K_5]...S%*(-1) L* (-1)X[K_10] (b) = 
3cc2f07cc07a8becO0f3eaded2ae33e4a, 

S* (-1)L” (-1) X[K_4]...S%*(-1) L*% (-1)X[K_10] (b) = 
£36£01291d0b96d591e228b72d011c36, 

S* (-1)L” (-1) X[K_3]...S%*(-1) L* (-1) X[K_10] (b) = 
1c4b0c1e950182b1ce696af5c0bfc5df, 
S^(-1)L^(-1)X[K_2]...S^(-1)L^(-1)X[K_10] (b) = 
99bb99ff99bb99ffffffFfFfFfFfFfFfFfFfFffff. 


Then the plaintext is 


a = X[K_1]S^(-1)L^(-1)X[K_2]...S^(-1)L^(-1)X[K_10] (b) = 
1122334455667700ffeeddcchbaa9988. 


6. Security Considerations 


This entire document is about security considerations. 
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